The real problem

Why LGPD projects stall

Policies-only approach: 200-page PDF with no operational impact.

Outdated or non-existent data mapping — the foundation of the whole program.

Data subject rights (access, deletion, portability) solved manually by tickets.

Shadow data: personal data in SaaS, spreadsheets and repositories without control.

Incident response without defined flow for ANPD notification (72h).

No KPIs to show the executive board. Compliance feels like a cost center.

Delivery

The Evernow 120-day roadmap

Days 1–30: Discovery & Gap

Automated personal data discovery (Securiti / Purview), interviews with 6–10 areas, legal-basis matrix and gap vs. LGPD / ANPD.

Days 31–60: Foundations

ROPA (data inventory) live in a platform, DPIA on critical flows, privacy notice, contracts with operators, retention policy.

Days 61–90: Controls

Consent management, data-subject-request portal, DLP on critical flows, pseudonymization/encryption on sensitive datasets, cookie banner at ANPD standard.

Days 91–120: Evidence & Governance

Incident playbook with 72h ANPD flow, indicator dashboard, internal training, first privacy committee, ready evidence binder.

Ongoing: DPO as a Service

Certified DPO on retainer, monthly follow-ups, ANPD response, audit support, continuous improvement.

Executive KPIs

% mapped data assets, % flows with legal basis, MTTR for data-subject requests, open DPIAs, residual risk score.

What you receive

14 concrete deliverables (not slides)

  • Live RoPA (data inventory) in platform
  • DPIA on the top-10 critical flows
  • Privacy Notice (public)
  • Internal Data Protection Policy
  • Data Retention Policy per asset
  • Supplier/operator contracts (template + playbook)
  • International transfer matrix
  • Consent management + cookie banner (ANPD standard)
  • Data Subject Request portal (access, deletion, portability)
  • Incident playbook with 72h ANPD notification flow
  • Training (C-level + operational + developers)
  • Privacy governance committee charter
  • Executive KPI dashboard
  • Audit-ready evidence binder
Platforms

Platforms we deploy for LGPD

Securiti.ai

Discovery, DSR, consent and DSPM unified.

Microsoft Purview

Classification and DLP native in Microsoft 365 environments.

OpenText Voltage

Format-preserving encryption for sensitive datasets.

Related

Continue exploring

Data Shield

Data protection pillar: discovery, DSPM, encryption, DLP.

Consent & Privacy Ops

Turn-key consent and DSR operation.

DSPM

Continuous visibility over personal data posture.

FAQ

Frequently asked questions about LGPD compliance

For a mid-sized company (100-1000 employees), Evernow's full roadmap is 120 days with weekly deliverables: month 1 (mapping, ROPA), month 2 (DPIA + legal bases), month 3 (policies + training + contracts), month 4 (data subject channel + ANPD evidence). Small companies can do it in 60-90 days.

LGPD requires a DPO but not in-house. DPO as a Service makes sense for companies up to ~500 employees (cost of R$ 4-12k/month vs R$ 25k+ internal salary). Companies with massive data processing (digital retail, banks, healthcare) or high risk usually prefer in-house DPO mid-term.

DPIA (Data Protection Impact Assessment, or RIPD in PT-BR) is a detailed risk assessment. ANPD requires DPIA when: processing involves sensitive data at scale, automated decisions with impact, systematic monitoring of public areas, data of children/teens, or high-risk new technologies.

Yes. We have an LGPD incident response playbook: containment in 24h, forensic analysis, ANPD notification within 48h per Resolution CD/ANPD 15/2024, data subject notification if applicable, and support for any TAP (Conduct Adjustment Term). Our team includes ANPD-trained DPOs.

Ranges in 2026: small company (<100 employees, no sensitive data) R$ 25-60k. Medium (100-500) R$ 80-180k. Large (500+, with sensitive data) R$ 200-500k+. Includes consulting, tools (Securiti or Microsoft Purview) and DPO as a Service for 12 months. Audits and POCs are separate.

Yes. In 2024-2026, ANPD applied fines to companies of all sizes. Maximum fine: 2% of revenue, up to R$ 50 million per infraction. Small companies are usually notified first with time to fix. Failing to respond or repeating infractions is what escalates to a heavy fine.

Ready to kick off your LGPD program?

Free 30-minute diagnosis with a certified DPO. Walk out with priorities and a realistic roadmap.

Take the free assessment
Request diagnosis
Evernow

Specialized cybersecurity consulting: AppSec, data protection, compliance and security operations.

Solutions

Industries

Resources

Company

Contact

Copyright Evernow © 2026. All rights reserved.